Renseignement sur les menaces

Belgique

34.76.60.10

FAI Google LLC Première vue 19/05/2026 09:39 UTC Dernière vue 15/06/2026 22:27 UTC Risque Moyen

Période analysée : 2026-05-17 → 2026-06-16

Activité suspecte — risque 53/100 (Moyen) — MITRE TA0001 — confiance 62 % — via ELASTICSEARCH

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Moyen · Risque max (7j) Moyen

Synthèse exécutive

Profil de menace

Score de risque 63/100 Moyen

Première observation 19/05/2026 09:39 UTC

Dernière observation 15/06/2026 22:27 UTC

Événements (période) 538

MITRE ATT&CK principal TA0007 208 occurrences

Activité suspecte — risque 53/100 (Moyen) — MITRE TA0001 — confiance 62 % — via ELASTICSEARCH

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Tentative d'exploit (tag rce-0) · confiance 62%

Confiance 62 % — Score WAF 72 · 3 tag(s) WAF

Comparaison ASN / FAI

ASN 396982 · 34.76.48.0/20 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 538 événements sur la période pour cette IP.

198.235.24.79 Sonde PostgreSQL 16/06/2026 05:51 UTC
198.235.24.50 Sonde MySQL 16/06/2026 05:51 UTC
162.216.149.184 Scanner web 16/06/2026 05:51 UTC
147.185.132.246 Sonde PostgreSQL 16/06/2026 05:51 UTC
147.185.133.168 Scanner web 16/06/2026 05:51 UTC
35.203.210.145 Scanner web 16/06/2026 05:51 UTC
35.203.210.217 Scanner web 16/06/2026 05:50 UTC
35.203.210.220 Scan vulnérabilités 16/06/2026 05:50 UTC

Événements (filtres)

538

Première observation

19/05/2026 09:39 UTC

Dernière observation

15/06/2026 22:27 UTC

Dernière activité (filtres)

15/06/2026 22:27 UTC

Événements 7j

287

Ports distincts (7j)

219

Classifications (7j)

199

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 464 MONGODB TCP 52 TLS TCP 11 FTP TCP 2 RTMP TCP 1 SAP ICM TCP 1 SMB TCP 1 CLICKHOUSE NATIVE TCP 1 MYSQL TCP 1 ELASTICSEARCH TCP 1 QUIC HTTP3 STUB TCP 1 ELASTICSEARCH TRANSPORT ALT TCP 1

HTTP

464

MONGODB

TLS

FTP

RTMP

SAP ICM

Géolocalisation

Origine réseau déclarée

Belgique unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 194 Port 9200 exploit_attempt

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

exploit attempt · via ELASTICSEARCH:9200 · (tentative d'exploit)

Détails protocole

Méthode: GET
Chemin: /
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Elasticsearch: Requête Elasticsearch : /

Aperçu payload

GET / HTTP/1.1 Host: 62.3.50.33:9200 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: *

Port / service

9200 · ELASTICSEARCH

Service émulé

ELASTICSEARCH

Raison confiance

Confiance 62 % — 3 tag(s) WAF

Technique MITRE

TA0001

Persona capteur

mail.sensor-1.internal

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1190

Confiance

62%

Famille de menace

unknown

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

538 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

538 événement(s) — page 4/11

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
15/06/2026 09:37:22 UTC	TCP	12165 · HTTP	http	Sonde port 12165/TCP port 12165 tcp · via HTTP:12165 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 12165 Chemin / cible / Preuve honeypot — Sonde port 12165/TCP Connexion détectée sur le port 12165 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_12165_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12165 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12165 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "15099aba049f79d14b124e4292d3c58a709c57e8", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.085780104412065, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 12165, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "44c5568bda51dd7a8d60d1171358709a56d4df18", "event_fingerprint": "a258ff398182c766c98f7bf4bafa2514567e051f", "classification_reason": "Type \u00ab port_12165_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "dc15f0ec7f004ddc9ca2868f2bc475b5", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 12165, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_12165_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c2a2399895848a1a4158187e618d9d08c049150e", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12165, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 12165 tcp \u00b7 via HTTP:12165 \u00b7 (sonde \/ probe)", "target_port_label": "12165 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_12165_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_12165_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 12165, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12165, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 12165 tcp \u00b7 via HTTP:12165 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "12165 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "12165" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 09:35:01 UTC	TCP	21257 · HTTP	http	Sonde port 21257/TCP port 21257 tcp · via HTTP:21257 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 21257 Chemin / cible / Preuve honeypot — Sonde port 21257/TCP Connexion détectée sur le port 21257 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_21257_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:21257 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:21257 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "a791992f62aba965b20ca7fa328b05e951641e8b", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.096905764435193, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 21257, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "bc40fe214bf8f1eb2b03da17a07686e5c282f765", "event_fingerprint": "cfd6cee2fabfd404f22dbc4142956bb4dc8a8358", "classification_reason": "Type \u00ab port_21257_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "6fd9920cda55dc25948116b0dfd5054e", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 21257, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21257\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21257\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21257\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21257\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21257\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_21257_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0035bb3f0105769e7a56e3753b054a6dfb7cdfd5", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 21257, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21257\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 21257 tcp \u00b7 via HTTP:21257 \u00b7 (sonde \/ probe)", "target_port_label": "21257 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_21257_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_21257_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 21257, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 21257, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 21257 tcp \u00b7 via HTTP:21257 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21257\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "21257 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "21257" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 09:32:32 UTC	TCP	8467 · HTTP	http	Sonde port 8467/TCP port 8467 tcp · via HTTP:8467 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8467 Chemin / cible / Preuve honeypot — Sonde port 8467/TCP Connexion détectée sur le port 8467 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8467_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8467 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8467 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "e574145bf0e002bc516af1f223b8a3ea08ae6f47", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.143645385302128, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8467, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "17ac71e5d8aff52a77591ccc6c90cbba6b1d307f", "event_fingerprint": "d7d0e3eb36ff21de9dbc2e11454b8cca42c8060b", "classification_reason": "Type \u00ab port_8467_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "f8d92939f91b3ebd62dd2ecca9b1a678", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8467, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8467\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8467\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8467\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8467\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8467\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8467_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4a62975c58950ba88de167e311e52dcc5770073b", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8467, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8467\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8467 tcp \u00b7 via HTTP:8467 \u00b7 (sonde \/ probe)", "target_port_label": "8467 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8467_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8467_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8467, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8467, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8467 tcp \u00b7 via HTTP:8467 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8467\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8467 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8467" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 09:29:33 UTC	TCP	22000 · HTTP	http	Sonde port 22000/TCP port 22000 tcp · via HTTP:22000 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 22000 Chemin / cible / Preuve honeypot — Sonde port 22000/TCP Connexion détectée sur le port 22000 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_22000_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:22000 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:22000 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "a153e5f72c04e8a17b3da8f4103e06403af160cb", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.079965458342179, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 22000, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "3caa4a36a862385590a177cfdad3a19cebae457b", "event_fingerprint": "a09f6ba9993e415784e06c9f95a3e514e20a7f34", "classification_reason": "Type \u00ab port_22000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "8f1c854a853f578dfd052fb1e7e543a4", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 22000, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_22000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ae906c65cff208e91ab3970a1c5e684a3131413a", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 22000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 22000 tcp \u00b7 via HTTP:22000 \u00b7 (sonde \/ probe)", "target_port_label": "22000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_22000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_22000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 22000, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 22000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 22000 tcp \u00b7 via HTTP:22000 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "22000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "22000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 09:26:10 UTC	TCP	3542 · HTTP	http	Sonde port 3542/TCP port 3542 tcp · via HTTP:3542 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3542 Chemin / cible / Preuve honeypot — Sonde port 3542/TCP Connexion détectée sur le port 3542 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_3542_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3542 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3542 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "5e570f3e88d763529afbdf12b95d9aa8a860596f", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.091524560134753, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 3542, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "1e09805318d202242642c6a34945b13c5158ba1a", "event_fingerprint": "c35fd706132042465d050983f94488cfeac18eca", "classification_reason": "Type \u00ab port_3542_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "777b44e68b21b59332427acaf74dc338", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3542, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3542\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3542\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3542\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3542\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3542\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_3542_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "37ee97988d595c68ee5b4e96cf591f3a33679eda", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3542, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3542\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 3542 tcp \u00b7 via HTTP:3542 \u00b7 (sonde \/ probe)", "target_port_label": "3542 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_3542_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_3542_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3542, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3542, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 3542 tcp \u00b7 via HTTP:3542 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3542\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "3542 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3542" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 09:24:57 UTC	TCP	3097 · HTTP	http	Scan de ports port scan syn · via HTTP:3097 · (reconnaissance)	Élevée	Moyen · 44
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3097 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +6 Risque capteur Moyen · 44 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3097 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3097 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "f4846a31fa8bfe46d92df926f2bf7dcc19b9b5c3", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.118921820408727, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 3097, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 44, "tag_count": 4, "anomaly_count": 1, "campaign_key": "fa6fd2b167ba8f41a79f9bf5c10b0c228494db68", "event_fingerprint": "ec6c893b576794f13f74cb92a475548674d9fa82", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 44, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "de6adb2c2380f0b04fcc984cdb30ef84", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3097, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3097\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3097\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3097\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3097\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3097\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2e0435109401621655f79f50a33782161a4e9b1e", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3097, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3097\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port scan syn \u00b7 via HTTP:3097 \u00b7 (reconnaissance)", "target_port_label": "3097 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne multi-ports", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 44, "correlation_boost": 6 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 44, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3097, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports" ], "correlation_flags_labels_fr": [ "Campagne multi-ports" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +6", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3097, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:3097 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3097\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "3097 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +6 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3097" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 4, "port_scan_ports_sample": [ 3097, 3155, 8503, 18070 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 09:24:45 UTC	TCP	18070 · HTTP	http	Scan de ports port scan syn · via HTTP:18070 · (reconnaissance)	Élevée	Moyen · 44
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 18070 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +6 Risque capteur Moyen · 44 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:18070 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:18070 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "3f5efc2a6c434659f1ded95de7a173a4a041ac4c", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.129931294858822, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 18070, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 44, "tag_count": 4, "anomaly_count": 1, "campaign_key": "699f75a1863a719e7df6ee11d7397b1183f3a32d", "event_fingerprint": "010fd0597383cc59fd9dc1c99f5132a818a63901", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 44, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "63072c749f2b93953b1679689874e3d8", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 18070, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18070\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18070\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18070\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18070\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18070\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "82b3228ff5decacbfe5cc114f21b721b6fa5cd6b", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 18070, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18070\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port scan syn \u00b7 via HTTP:18070 \u00b7 (reconnaissance)", "target_port_label": "18070 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne multi-ports", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 44, "correlation_boost": 6 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 44, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 18070, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports" ], "correlation_flags_labels_fr": [ "Campagne multi-ports" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +6", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 18070, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:18070 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18070\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "18070 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +6 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "18070" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 4, "port_scan_ports_sample": [ 3155, 8503, 8935, 18070 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 09:24:23 UTC	TCP	8503 · HTTP	http	Scan de ports port scan syn · via HTTP:8503 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8503 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8503 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8503 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "35d50214dbec29f0dfbe752ce03d9b2e2cda1ee4", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.100052727928154, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8503, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 1, "campaign_key": "dbbb1fc68ac2bea7ac8cb3d4b931ead2704b7b12", "event_fingerprint": "84fe241cdafa94a14e7b85d85e21f6b8a6af8cc7", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "0f420cad47b0eed492c2d3f9120de188", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8503, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8503\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8503\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8503\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8503\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8503\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1c43045ac9d2ed4889c82b3ed05b275eab77c957", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8503, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8503\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port scan syn \u00b7 via HTTP:8503 \u00b7 (reconnaissance)", "target_port_label": "8503 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8503, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8503, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8503 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8503\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8503 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8503" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "rtmp" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 09:24:10 UTC	TCP	3155 · HTTP	http	Sonde port 3155/TCP port 3155 tcp · via HTTP:3155 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3155 Chemin / cible / Preuve honeypot — Sonde port 3155/TCP Connexion détectée sur le port 3155 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_3155_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3155 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3155 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "66750780009e95b4debea62d947fecf2f2c056f1", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.072655467654182, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 3155, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "c5ae4600490af6fbf7dc423a5621c0040b56e04b", "event_fingerprint": "6cf8aa25eab55930b30c1cd83ae266703857a98d", "classification_reason": "Type \u00ab port_3155_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "1b6485c1cf6ac1c28a0940a923007826", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3155, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3155\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3155\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3155\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3155\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3155\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_3155_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ee1ceaf6d45a532dc3f77384f1aaf589456fe4bc", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3155, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3155\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 3155 tcp \u00b7 via HTTP:3155 \u00b7 (sonde \/ probe)", "target_port_label": "3155 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_3155_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_3155_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3155, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3155, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 3155 tcp \u00b7 via HTTP:3155 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3155\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "3155 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3155" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "rtmp" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 09:23:55 UTC	TCP	8935 · HTTP	http	Sonde port 8935/TCP port 8935 tcp · via HTTP:8935 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8935 Chemin / cible / Preuve honeypot — Sonde port 8935/TCP Connexion détectée sur le port 8935 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8935_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8935 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8935 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "915f8ec42ed6dd78da1b122d39f14aa74c4a4415", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.113751358065142, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8935, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "da4e5b30aeb89db264fb5a65570c7eca853213db", "event_fingerprint": "285f7a853188a4c2a411a2c7a5c1d071a19d3acd", "classification_reason": "Type \u00ab port_8935_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "0f765c715af471e09e89f45bd41039a6", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8935, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8935\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8935\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8935\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8935\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8935\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8935_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "203c8bce508944363533082c3f6e3e053898de23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8935, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8935\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8935 tcp \u00b7 via HTTP:8935 \u00b7 (sonde \/ probe)", "target_port_label": "8935 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8935_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8935_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8935, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8935, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8935 tcp \u00b7 via HTTP:8935 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8935\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8935 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8935" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "rtmp" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 84 }
15/06/2026 09:21:12 UTC	TCP	19443 · HTTP	http	Sonde port 19443/TCP port 19443 tcp · via HTTP:19443 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 19443 Chemin / cible / Preuve honeypot — Sonde port 19443/TCP Connexion détectée sur le port 19443 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_19443_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:19443 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:19443 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "2d7536f1f122a2237cdb15ca4659e58acd7686cd", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.124116648788935, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 19443, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "db95c8ffbe1fa402b0cb928f12b663b96c4db739", "event_fingerprint": "30cac791387231666b91c8a23c5905420b97cd25", "classification_reason": "Type \u00ab port_19443_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "58a32db0ecbe62259ef87b715c3629c3", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 19443, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_19443_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6082326b37378545f1036b4462364b61a12a6123", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 19443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 19443 tcp \u00b7 via HTTP:19443 \u00b7 (sonde \/ probe)", "target_port_label": "19443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_19443_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_19443_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 19443, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 19443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 19443 tcp \u00b7 via HTTP:19443 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "19443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "19443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "rtmp" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 09:19:43 UTC	TCP	1935 · RTMP	rtmp	rtmp probe rtmp probe · via RTMP:1935 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTMP WAF — Recommandation Surveiller Tags http_get_probe net_rtmp_probe rtmp_emulated rtmp_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1935 Chemin / cible — Service RTMP Payload GET / HTTP/1.1 Host: 62.3.50.33:1935 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Pourquoi cette classification : Type « rtmp_probe » (signaux protocolaires) · confiance 0% Confiance classification 8% Corrélation +8 Risque capteur Faible · 34 Confiance : Confiance 0 % — 4 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1935 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1935 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "protocol_emulated": true, "emulator_response": "03000000000102030405060708", "emulator_response_len": 13, "bytes_in": 146, "payload_entropy": 5.094882265584569, "port_category": "registered", "org": "Google LLC", "service": "rtmp", "app_proto": "rtmp", "asn": 396982, "country": "BE", "dst_port": 1935, "risk_waf": 8, "risk_classification": 46, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 8, "classification": 46, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15 }, "risk_score": 34, "tag_count": 4, "anomaly_count": 0, "campaign_key": "63309c4ad0f7bb9ba40e0c8e15696ead3e61095f", "event_fingerprint": "aecab78495e2c32325572b256020fe37fc9aace2", "classification_reason": "Type \u00ab rtmp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.08, "classification_confidence": 0.08, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 46, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 34, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "rtmp", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1296c36b74b390082ceac05ff9084272", "path_pattern_hash": "bd8d43a99a2e56d94224be83a9deaf5c" }, "target_context": { "dst_port": 1935, "service": "rtmp", "service_name": "rtmp", "risk_score": 34 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1935\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1935\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1935\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1935\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1935\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab rtmp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4c4cbc1f2777adfa8b376083e96301413b057c64", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1935\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "port": 1935, "service": "rtmp", "service_label_fr": "RTMP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1935\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "rtmp probe \u00b7 via RTMP:1935 \u00b7 (sonde \/ probe)", "target_port_label": "1935 \u00b7 RTMP", "emulator_service": "rtmp", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtmp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab rtmp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 8, "confidence_breakdown": { "waf": 8, "classification": 46, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 34, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "rtmp", "service_label_fr": "RTMP", "dst_port": 1935, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtmp", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1935\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "port": 1935, "service": "rtmp", "service_label_fr": "RTMP" }, "attack_vector": "rtmp probe \u00b7 via RTMP:1935 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1935\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "1935 \u00b7 RTMP", "emulator_service": "rtmp", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtmp", "service_banner": "honeypot-rtmp", "service_os": "linux", "dst_port": "1935" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "rtmp" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "net_rtmp_probe", "rtmp_emulated", "rtmp_payload" ], "asn_dc_heuristic": true }
15/06/2026 09:19:17 UTC	TCP	8200 · HTTP	http	Sonde port 8200/TCP port 8200 tcp · via HTTP:8200 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8200 Chemin / cible / Preuve honeypot — Sonde port 8200/TCP Connexion détectée sur le port 8200 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8200_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8200 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8200 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "1b085ed71e3453f90e6fb0c42be126e42e28af3b", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.1025494948911705, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8200, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 5, "anomaly_count": 1, "campaign_key": "3dadf5caf46ce17146b31f5283d6e0ec1132252b", "event_fingerprint": "f22e7e8fbc7380830843652df03533c726932827", "classification_reason": "Type \u00ab port_8200_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "cee101212fd16c0e4c1d482a3353f253", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8200, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8200\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8200\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8200\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8200\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8200\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8200_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ab5089a2327bfd0e2c29391be9cccb29f9cc1f97", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8200\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8200 tcp \u00b7 via HTTP:8200 \u00b7 (sonde \/ probe)", "target_port_label": "8200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8200_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8200_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8200, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8200 tcp \u00b7 via HTTP:8200 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8200\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "net_web_probe", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 09:05:28 UTC	TCP	5991 · HTTP	http	Sonde port 5991/TCP port 5991 tcp · via HTTP:5991 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5991 Chemin / cible / Preuve honeypot — Sonde port 5991/TCP Connexion détectée sur le port 5991 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_5991_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5991 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5991 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "d738f93458224cfd76fbd5d5b10b1336b7c93b66", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.105907200340986, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 5991, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "2447c7e9dd24f1313b77bd521fe926f34556a1b6", "event_fingerprint": "bcc0da7b1feda9cf676cf2802edf1a36a923edc4", "classification_reason": "Type \u00ab port_5991_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "2ae03c654a4c3e5e20ea25e9fdbcfda7", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5991, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5991\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5991\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5991\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5991\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5991\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_5991_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "035a7e6c39762cc69eb16648d6348e1ff45ff711", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5991, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5991\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 5991 tcp \u00b7 via HTTP:5991 \u00b7 (sonde \/ probe)", "target_port_label": "5991 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_5991_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_5991_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5991, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5991, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 5991 tcp \u00b7 via HTTP:5991 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5991\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "5991 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5991" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 08:58:23 UTC	TCP	20018 · HTTP	http	Sonde port 20018/TCP port 20018 tcp · via HTTP:20018 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20018 Chemin / cible / Preuve honeypot — Sonde port 20018/TCP Connexion détectée sur le port 20018 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_20018_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:20018 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:20018 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "bb7d9250964198a943b8ef790c31026e4a573dc2", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.107855699635443, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 20018, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "55b8939bf23ee27f42a6c47b9f82a961a305b5f1", "event_fingerprint": "0a8dd757b0d292e9f9a518b7f28a9e0ef1c4ca15", "classification_reason": "Type \u00ab port_20018_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "b9e68db6fccc4670e1586e8c0176eab1", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 20018, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20018\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20018\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20018\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20018\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20018\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_20018_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0072459fd3bb83a2f5017c5cb22bdc6e92b6c094", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 20018, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20018\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 20018 tcp \u00b7 via HTTP:20018 \u00b7 (sonde \/ probe)", "target_port_label": "20018 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_20018_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_20018_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20018, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 20018, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 20018 tcp \u00b7 via HTTP:20018 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20018\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "20018 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20018" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 08:56:39 UTC	TCP	8385 · HTTP	http	Scan de ports port scan syn · via HTTP:8385 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8385 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8385 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8385 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "9ebe11dafb86c35ed5ebf11b45523ab672a9d2bc", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.100052727928154, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8385, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 1, "campaign_key": "0254d1120a94b25fc5a611e884d854f1d973a76d", "event_fingerprint": "7b346c1853e45e578fccea21ee2cb95b4c139d98", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "c8d87fb46a8aef4a91b8f40fed3df69d", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8385, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8385\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8385\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8385\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8385\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8385\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ff0d11eeaaa150f7bee62158d898a0b7c59436fa", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8385, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8385\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port scan syn \u00b7 via HTTP:8385 \u00b7 (reconnaissance)", "target_port_label": "8385 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8385, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8385, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8385 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8385\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8385 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8385" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:56:09 UTC	TCP	12428 · HTTP	http	Sonde port 12428/TCP port 12428 tcp · via HTTP:12428 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 12428 Chemin / cible / Preuve honeypot — Sonde port 12428/TCP Connexion détectée sur le port 12428 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_12428_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12428 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12428 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "9e14bb9f90cb479bd62f7380dfeb6134a1eaaf83", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.1156464957424275, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 12428, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "ca9bc35355489057d0dc0d590a8539c12af1f9ca", "event_fingerprint": "4b4cf16cf5c08136a9da1bacf660c3cc503a00c2", "classification_reason": "Type \u00ab port_12428_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "cebf92c67e69eb1493b4fc09e77af856", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 12428, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12428\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12428\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12428\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12428\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12428\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_12428_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c7d852eb4b56dd86141110c7f20193f0e7d129b4", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12428, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12428\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 12428 tcp \u00b7 via HTTP:12428 \u00b7 (sonde \/ probe)", "target_port_label": "12428 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_12428_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_12428_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 12428, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12428, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 12428 tcp \u00b7 via HTTP:12428 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12428\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "12428 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "12428" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:56:05 UTC	TCP	4063 · HTTP	http	Sonde port 4063/TCP port 4063 tcp · via HTTP:4063 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4063 Chemin / cible / Preuve honeypot — Sonde port 4063/TCP Connexion détectée sur le port 4063 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_4063_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:4063 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:4063 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "758aaecdbc6749375f962bdbe1ff7a775c05ff02", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.105223190271739, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 4063, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "a4c6d3fa8ad701e894c194670efef17ea4937cb3", "event_fingerprint": "b75f1af4731be320fa473879a8de869f18751d44", "classification_reason": "Type \u00ab port_4063_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "9758b30184ab5539fc0a9857bad3a888", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 4063, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4063\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4063\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4063\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4063\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4063\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_4063_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "304775167eb74f01d3286baa1fba7634f17addc7", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 4063, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4063\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 4063 tcp \u00b7 via HTTP:4063 \u00b7 (sonde \/ probe)", "target_port_label": "4063 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_4063_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_4063_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4063, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 4063, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 4063 tcp \u00b7 via HTTP:4063 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4063\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "4063 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4063" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:54:53 UTC	TCP	21239 · HTTP	http	Sonde port 21239/TCP port 21239 tcp · via HTTP:21239 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 21239 Chemin / cible / Preuve honeypot — Sonde port 21239/TCP Connexion détectée sur le port 21239 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_21239_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:21239 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:21239 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "8a3bb741d2320d29b27000d7bfe66e21111d6c40", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.0910911183653065, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 21239, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "5282f2159a036f33a5157e7d87d43df4a189b35b", "event_fingerprint": "6bc33e8c2e18bf8bfd7eb45afdff215da59bc1b2", "classification_reason": "Type \u00ab port_21239_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "2ba515030be19589cc636b1c64616399", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 21239, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21239\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21239\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21239\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21239\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21239\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_21239_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8fb7a8f32bfbedf563dff5343d9f2c84d808d03e", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 21239, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21239\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 21239 tcp \u00b7 via HTTP:21239 \u00b7 (sonde \/ probe)", "target_port_label": "21239 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_21239_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_21239_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 21239, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 21239, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 21239 tcp \u00b7 via HTTP:21239 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21239\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "21239 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "21239" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:54:03 UTC	TCP	12557 · HTTP	http	Sonde port 12557/TCP port 12557 tcp · via HTTP:12557 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 12557 Chemin / cible / Preuve honeypot — Sonde port 12557/TCP Connexion détectée sur le port 12557 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_12557_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12557 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12557 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "5406eb33a25b40729c30b9931fb5fd1b82c09af7", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.099385546588937, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 12557, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "78efc2c535c98466e377cdcc1f36f9cc51287f91", "event_fingerprint": "ed7a7f20476db0710598deab30357e474553f1ce", "classification_reason": "Type \u00ab port_12557_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "6a01df9bd240c41faba10296b11ca299", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 12557, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12557\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12557\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12557\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12557\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12557\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_12557_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "968204fa9fe16cd7048d834bf87752bbd5715f36", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12557, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12557\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 12557 tcp \u00b7 via HTTP:12557 \u00b7 (sonde \/ probe)", "target_port_label": "12557 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_12557_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_12557_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 12557, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12557, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 12557 tcp \u00b7 via HTTP:12557 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12557\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "12557 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "12557" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:52:10 UTC	TCP	12145 · HTTP	http	Sonde port 12145/TCP port 12145 tcp · via HTTP:12145 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 12145 Chemin / cible / Preuve honeypot — Sonde port 12145/TCP Connexion détectée sur le port 12145 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_12145_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12145 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12145 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "cc49c77968b6cd48052a213b467c5d2068bc29f7", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.099385546588937, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 12145, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "140697469e658a7fdd5fdbee9486a98b3a63df09", "event_fingerprint": "82ac519616516a4dbceb887d14d5ea2bf340779a", "classification_reason": "Type \u00ab port_12145_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "69346c601a227f78c8cca00e1d3689ff", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 12145, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12145\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12145\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12145\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12145\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12145\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_12145_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e4cf35a22bd548e0e418cd18f02ce13944a19bec", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12145, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12145\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 12145 tcp \u00b7 via HTTP:12145 \u00b7 (sonde \/ probe)", "target_port_label": "12145 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_12145_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_12145_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 12145, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12145, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 12145 tcp \u00b7 via HTTP:12145 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12145\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "12145 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "12145" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 08:50:08 UTC	TCP	8731 · HTTP	http	Sonde port 8731/TCP port 8731 tcp · via HTTP:8731 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8731 Chemin / cible / Preuve honeypot — Sonde port 8731/TCP Connexion détectée sur le port 8731 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8731_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8731 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8731 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "f6a2d13bc1a9119fea0f4340ae4e0962dee6c018", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.113751358065142, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8731, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "4a30da9f0a9a635a4031cde2d85e02c615ee323f", "event_fingerprint": "177d10764847ddc2a557f200a095b64408ed5cce", "classification_reason": "Type \u00ab port_8731_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "fb7a156b5884428d9aae27e78866a71f", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8731, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8731\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8731\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8731\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8731\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8731\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8731_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d67c6ae1576707001c68044ded4cc33e8a4bbd13", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8731, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8731\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8731 tcp \u00b7 via HTTP:8731 \u00b7 (sonde \/ probe)", "target_port_label": "8731 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8731_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8731_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8731, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8731, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8731 tcp \u00b7 via HTTP:8731 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8731\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8731 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8731" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:49:25 UTC	TCP	1388 · HTTP	http	Sonde port 1388/TCP port 1388 tcp · via HTTP:1388 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1388 Chemin / cible / Preuve honeypot — Sonde port 1388/TCP Connexion détectée sur le port 1388 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_1388_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1388 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1388 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "1584448e841822b8b030e481fc71d7358e1ba356", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.100052727928154, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 1388, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "ebe1763a9b0f8a0039fb9e81ff37cb717570d59c", "event_fingerprint": "3e1e2b4bee92050644e84cad3aa1e13ce9a16584", "classification_reason": "Type \u00ab port_1388_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "f0f3d35cfd99f8827b8e12745630769b", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 1388, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1388\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1388\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1388\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1388\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1388\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_1388_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1b19f2e8e2b74fc5bc7c9d6547c4522a8980564b", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 1388, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1388\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 1388 tcp \u00b7 via HTTP:1388 \u00b7 (sonde \/ probe)", "target_port_label": "1388 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_1388_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_1388_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1388, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 1388, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 1388 tcp \u00b7 via HTTP:1388 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1388\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "1388 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1388" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:46:29 UTC	TCP	8649 · HTTP	http	Sonde port 8649/TCP port 8649 tcp · via HTTP:8649 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8649 Chemin / cible / Preuve honeypot — Sonde port 8649/TCP Connexion détectée sur le port 8649 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8649_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8649 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8649 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "6e89f84c84c92f97b94939e5f161a69a7a5968d8", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.143645385302128, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8649, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "1914dcf7a6daf99c81dc30a342031a0fb3afd5b0", "event_fingerprint": "1d9c5b8bafbccd325b055ae6d604af2aaa219007", "classification_reason": "Type \u00ab port_8649_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "7798ce21f2a13c2a08560e10567298be", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8649, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8649\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8649\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8649\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8649\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8649\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8649_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4fc3b98a1c47fefec62fa9ab424cb56d70af0833", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8649, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8649\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8649 tcp \u00b7 via HTTP:8649 \u00b7 (sonde \/ probe)", "target_port_label": "8649 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8649_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8649_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8649, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8649, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8649 tcp \u00b7 via HTTP:8649 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8649\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8649 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8649" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:46:23 UTC	TCP	16404 · HTTP	http	Sonde port 16404/TCP port 16404 tcp · via HTTP:16404 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 16404 Chemin / cible / Preuve honeypot — Sonde port 16404/TCP Connexion détectée sur le port 16404 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_16404_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16404 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16404 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "127701da243c959897062d8032a66c4ac7543ab6", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.121461141812316, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 16404, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "89b871183bf5f6bc2b39ebbc6bf1f1fd254415bc", "event_fingerprint": "a1ea69d7f3a82f188dd7d973bca1d0c711fcbef8", "classification_reason": "Type \u00ab port_16404_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "431dcdedfa4b98a92943d7c834938168", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 16404, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16404\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16404\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16404\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16404\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16404\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_16404_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "97ccc6b94ee3114299a81b3dff787267acaa54a3", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16404, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16404\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 16404 tcp \u00b7 via HTTP:16404 \u00b7 (sonde \/ probe)", "target_port_label": "16404 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_16404_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_16404_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 16404, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16404, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 16404 tcp \u00b7 via HTTP:16404 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16404\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "16404 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "16404" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:45:06 UTC	TCP	2211 · HTTP	http	Scan de ports port scan syn · via HTTP:2211 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2211 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2211 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2211 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "4a355a814f2ea1198c7eda0588638ed3d9262c80", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.069297762204367, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 2211, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 1, "campaign_key": "7f2125a78cd2c26ab02e8312e1b5e62c842f31e7", "event_fingerprint": "48a213c4f4e968da14a2cd88e5af9c32dc3ae7af", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "78c0d2a3281b4a78347f2fb2fea2a35e", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 2211, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2211\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2211\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2211\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2211\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2211\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5d196a03c4359464aa7b9beebe8fbeb4a53656d5", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 2211, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2211\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port scan syn \u00b7 via HTTP:2211 \u00b7 (reconnaissance)", "target_port_label": "2211 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2211, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 2211, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2211 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2211\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "2211 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2211" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:44:37 UTC	TCP	785 · HTTP	http	Sonde port 785/TCP port 785 tcp · via HTTP:785 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 785 Chemin / cible / Preuve honeypot — Sonde port 785/TCP Connexion détectée sur le port 785 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_785_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:785 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connectio Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:785 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "42a89bc0c874de46c30cdb23e435d90036f2578b", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 145, "payload_entropy": 5.114412215225038, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 785, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "d0dd5448f710c6b73fe6df0b654f209aacfc9c01", "event_fingerprint": "83b40a601e347e4cbdca9bf6d9394f7d7326523c", "classification_reason": "Type \u00ab port_785_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "6f57c50d2181c11907fd244afe2e50b3", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 785, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:785\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnectio", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:785\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:785\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnectio", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:785\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:785\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnectio", "classification_reason": "Type \u00ab port_785_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "82ad6c5d89336ee7f42df21f02164cd722ad49f9", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 785, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:785\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnectio", "attack_vector": "port 785 tcp \u00b7 via HTTP:785 \u00b7 (sonde \/ probe)", "target_port_label": "785 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_785_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_785_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 785, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 785, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 785 tcp \u00b7 via HTTP:785 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:785\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnectio", "target_port_label": "785 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "785" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:44:16 UTC	TCP	15502 · HTTP	http	Sonde port 15502/TCP port 15502 tcp · via HTTP:15502 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 15502 Chemin / cible / Preuve honeypot — Sonde port 15502/TCP Connexion détectée sur le port 15502 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_15502_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:15502 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:15502 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "930efe7eab4c5c7e37d7bbdfa53b5ddbe424d37a", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.085780104412065, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 15502, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "59a37a3d7a30886c8e9b7a047dd3600f5a7a8254", "event_fingerprint": "15be5379bbb73f71eff177c7ded2371ca02dff60", "classification_reason": "Type \u00ab port_15502_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "390500bc720ce3d453b9ec071385a855", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 15502, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15502\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15502\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15502\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15502\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15502\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_15502_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d46d3b29c2ea2e1016fce7154c3cb51dd5b47591", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 15502, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15502\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 15502 tcp \u00b7 via HTTP:15502 \u00b7 (sonde \/ probe)", "target_port_label": "15502 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_15502_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_15502_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 15502, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 15502, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 15502 tcp \u00b7 via HTTP:15502 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15502\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "15502 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "15502" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:43:35 UTC	TCP	3008 · HTTP	http	Sonde port 3008/TCP port 3008 tcp · via HTTP:3008 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3008 Chemin / cible / Preuve honeypot — Sonde port 3008/TCP Connexion détectée sur le port 3008 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_3008_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3008 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3008 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "991d32257aabf701a8437f82ca96da1787be0d5a", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.100052727928154, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 3008, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.6, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "1010b84cb349471ead36fa68c4897bc8e421a329", "event_fingerprint": "d3f843b5a074719b92ecc458fb57793a6b3c299d", "classification_reason": "Type \u00ab port_3008_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "959ffaa07e5048121e030a1fee662a13", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3008, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_3008_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "beae392022387b5b7c14398f30281c7528ef5e5f", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3008, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 3008 tcp \u00b7 via HTTP:3008 \u00b7 (sonde \/ probe)", "target_port_label": "3008 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_3008_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_3008_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3008, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3008, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 3008 tcp \u00b7 via HTTP:3008 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "3008 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3008" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:43:01 UTC	TCP	4434 · HTTP	http	Sonde port 4434/TCP port 4434 tcp · via HTTP:4434 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4434 Chemin / cible / Preuve honeypot — Sonde port 4434/TCP Connexion détectée sur le port 4434 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_4434_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:4434 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:4434 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "753e2f4d730d00a78b52def8e3495b22c2ad280a", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.100052727928154, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 4434, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.6, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "161c00a0ae7f2a7522aba0bc461e16d4e33fc7dd", "event_fingerprint": "a93478a5623c4fc3cef1591978cd0b812ff3bcf6", "classification_reason": "Type \u00ab port_4434_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "027728c0de233a8b06eaf5b63e15d77c", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 4434, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4434\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4434\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4434\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4434\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4434\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_4434_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "60003280854abe8a76cb1d67899c7baf8ca6331d", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 4434, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4434\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 4434 tcp \u00b7 via HTTP:4434 \u00b7 (sonde \/ probe)", "target_port_label": "4434 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_4434_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_4434_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4434, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 4434, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 4434 tcp \u00b7 via HTTP:4434 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4434\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "4434 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4434" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:41:08 UTC	TCP	5083 · HTTP	http	Sonde port 5083/TCP port 5083 tcp · via HTTP:5083 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5083 Chemin / cible / Preuve honeypot — Sonde port 5083/TCP Connexion détectée sur le port 5083 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_5083_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5083 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5083 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "f48006e3e5ed3949f1c164a8724e4fe8f8597c67", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.100052727928154, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 5083, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "2ddbf1794c5480904e152eda717ec3e5a7630c27", "event_fingerprint": "2111c91df3510445b43d95e85e4d32cfc2378cc5", "classification_reason": "Type \u00ab port_5083_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "5c1aff99ff3060603cbd688587754a83", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5083, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5083\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5083\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5083\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5083\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5083\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_5083_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9cb29415519bf489d1fe682b7d5e7d3982b7d32e", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5083\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 5083 tcp \u00b7 via HTTP:5083 \u00b7 (sonde \/ probe)", "target_port_label": "5083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_5083_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_5083_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5083, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 5083 tcp \u00b7 via HTTP:5083 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5083\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "5083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:40:37 UTC	TCP	12135 · HTTP	http	Sonde port 12135/TCP port 12135 tcp · via HTTP:12135 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 12135 Chemin / cible / Preuve honeypot — Sonde port 12135/TCP Connexion détectée sur le port 12135 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_12135_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12135 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12135 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "8ebae59c71f9fd1375bd39e0ad15cf7f685db3ce", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.074830169211816, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 12135, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "5dbd727a90a8c4f2e2eb0823c9f99194ce406884", "event_fingerprint": "7eac87aff21b0bd2284ac49d883eeecdbc99fd82", "classification_reason": "Type \u00ab port_12135_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "c35768138ec456a5f2652156aa0158a4", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 12135, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12135\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12135\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12135\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12135\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12135\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_12135_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d5f7e8a65856ef131bf6956ce594e02d47fd4978", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12135, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12135\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 12135 tcp \u00b7 via HTTP:12135 \u00b7 (sonde \/ probe)", "target_port_label": "12135 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_12135_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_12135_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 12135, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12135, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 12135 tcp \u00b7 via HTTP:12135 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12135\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "12135 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "12135" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 84 }
15/06/2026 08:38:34 UTC	TCP	30023 · HTTP	http	Sonde port 30023/TCP port 30023 tcp · via HTTP:30023 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 30023 Chemin / cible / Preuve honeypot — Sonde port 30023/TCP Connexion détectée sur le port 30023 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_30023_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:30023 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:30023 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "8b9776b24535d9f3edaa10967a48fbdbb6ee8a8f", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.075509526151339, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 30023, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "292423631d681bf85561afa97be6bef77e16a7cb", "event_fingerprint": "7f02e2cbb9b59a3a1346482f35051e67d2dd35d1", "classification_reason": "Type \u00ab port_30023_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "4bb0cc1c9e51f605c58fb69b1ff5fb7a", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 30023, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30023\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30023\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30023\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30023\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30023\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_30023_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1f551e09aee114bbd262cf2d3d0d65811cc1226e", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 30023, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30023\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 30023 tcp \u00b7 via HTTP:30023 \u00b7 (sonde \/ probe)", "target_port_label": "30023 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_30023_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_30023_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 30023, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 30023, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 30023 tcp \u00b7 via HTTP:30023 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30023\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "30023 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "30023" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:38:10 UTC	TCP	8915 · HTTP	http	Scan de ports port scan syn · via HTTP:8915 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8915 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8915 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8915 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "34c7fbcbb0c1c94cd9d24ea03b7d35d10c3510c1", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.119605830477972, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8915, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 1, "campaign_key": "4610c0c3f7393948726c23e4b0893df433192668", "event_fingerprint": "b6575aed93cc1fd47d2e702751a1cebfac7fa650", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "73002ccd8006899e189160c08178dc97", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8915, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8915\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8915\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8915\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8915\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8915\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d287a8f606d89d18f89e9e68a67fda8ff3a63c8f", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8915, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8915\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port scan syn \u00b7 via HTTP:8915 \u00b7 (reconnaissance)", "target_port_label": "8915 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8915, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8915, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8915 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8915\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8915 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8915" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:37:26 UTC	TCP	9213 · HTTP	http	Scan de ports port scan syn · via HTTP:9213 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9213 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9213 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9213 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "42e35400f6de60d30667e1bdf4b23968ef46dde6", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.091524560134753, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 9213, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 1, "campaign_key": "208a8943cc39b4b849fa318fdb9ff5bce683a531", "event_fingerprint": "254d297b7261547e86a0fee3a42116626d12739f", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "685e7ac4ffa867e0f4958d58572b8654", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9213, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9213\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9213\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9213\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9213\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9213\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "be9ce481f46b728afc9355864dbbdc4cb653d10f", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9213, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9213\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port scan syn \u00b7 via HTTP:9213 \u00b7 (reconnaissance)", "target_port_label": "9213 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9213, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9213, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9213 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9213\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "9213 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9213" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:37:20 UTC	TCP	20070 · HTTP	http	Sonde port 20070/TCP port 20070 tcp · via HTTP:20070 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20070 Chemin / cible / Preuve honeypot — Sonde port 20070/TCP Connexion détectée sur le port 20070 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_20070_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:20070 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:20070 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "46294ecae722c145562b3ac383349bb84303b181", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.1045208357193, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 20070, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "2c6d5358dc6e4b7f3f0f31ebc8d4e8467f842a8c", "event_fingerprint": "ca13c0e1a09cd2d52e283b73d6ddd2c1fba1d5dc", "classification_reason": "Type \u00ab port_20070_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "d3aef66d9037fd39bcc1db55a742d617", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 20070, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20070\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20070\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20070\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20070\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20070\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_20070_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dd920bc95f30478f3a379f95944747f149535ce1", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 20070, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20070\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 20070 tcp \u00b7 via HTTP:20070 \u00b7 (sonde \/ probe)", "target_port_label": "20070 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_20070_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_20070_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20070, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 20070, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 20070 tcp \u00b7 via HTTP:20070 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20070\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "20070 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20070" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:36:56 UTC	TCP	12400 · HTTP	http	Sonde port 12400/TCP port 12400 tcp · via HTTP:12400 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 12400 Chemin / cible / Preuve honeypot — Sonde port 12400/TCP Connexion détectée sur le port 12400 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_12400_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12400 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12400 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "56f3dee009ddf226a7debd56d80b8f1a5dc72811", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.107855699635443, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 12400, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "2cd3d2c9869ec9e24768333eb903ef07d78b2ddf", "event_fingerprint": "11b24388aec4fb6985a80b0979678745a403ffd3", "classification_reason": "Type \u00ab port_12400_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "8a086ea200e9f37216f66c5917bc3895", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 12400, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12400\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12400\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12400\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12400\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12400\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_12400_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7a08262bd1c78bc21c87e9b02aa1737865c27a82", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12400, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12400\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 12400 tcp \u00b7 via HTTP:12400 \u00b7 (sonde \/ probe)", "target_port_label": "12400 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_12400_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_12400_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 12400, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12400, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 12400 tcp \u00b7 via HTTP:12400 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12400\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "12400 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "12400" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:33:05 UTC	TCP	19455 · HTTP	http	Scan de ports port scan syn · via HTTP:19455 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 19455 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:19455 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:19455 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "8f20a5dae54913afdd007ca1d25616a21c00ed8d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.121461141812314, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 19455, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 1, "campaign_key": "f4e510d5546cfb90d09324899b618c4b5906f317", "event_fingerprint": "beebafbd968ca7ace824651e40e18844c2048894", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "c03ec2b0f11bcdbc270e890fe2cf52d6", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 19455, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19455\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19455\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19455\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19455\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19455\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4497f57b8c05412549d4cf76459ef4b86f17d219", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 19455, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19455\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port scan syn \u00b7 via HTTP:19455 \u00b7 (reconnaissance)", "target_port_label": "19455 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 19455, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 19455, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:19455 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19455\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "19455 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "19455" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:32:55 UTC	TCP	12106 · HTTP	http	Scan de ports port scan syn · via HTTP:12106 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 12106 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +6 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12106 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12106 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "14646060dd066167774234dd654755191369afd9", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.0909153935424305, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 12106, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 1, "campaign_key": "1688548ab814b4fcd494f2cc337cd24de9736a66", "event_fingerprint": "365f8a24cef1841b00ba6e3fd170a91b1d4aeaa0", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "f5f57eb18257f4defbd9bb5670b5537e", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 12106, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12106\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12106\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12106\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12106\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12106\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5b0ac35ffb07717ad7bfd168097530f1af2b063a", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12106, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12106\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port scan syn \u00b7 via HTTP:12106 \u00b7 (reconnaissance)", "target_port_label": "12106 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne multi-ports", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42, "correlation_boost": 6 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 12106, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports" ], "correlation_flags_labels_fr": [ "Campagne multi-ports" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +6", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12106, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:12106 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12106\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "12106 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +6 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "12106" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 4, "port_scan_ports_sample": [ 2111, 8099, 9169, 12106 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:32:25 UTC	TCP	8099 · HTTP	http	Scan de ports port scan syn · via HTTP:8099 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8099 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8099 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8099 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "611196ff5d5ba8288e3fb0ff9b6947637bff1fee", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.129946755165142, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8099, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 1, "campaign_key": "1ab9cc4d3bc6f85d170996996c977c48bc591956", "event_fingerprint": "20c3bcbb812d7aebc045f004e057837b8af0c832", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "792dc63287308c486b6dddef3e5292bf", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8099, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4fc19112635ea2e379091f78a5101e0e26ef7b16", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8099, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port scan syn \u00b7 via HTTP:8099 \u00b7 (reconnaissance)", "target_port_label": "8099 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8099, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8099, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8099 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8099 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8099" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:32:02 UTC	TCP	2111 · HTTP	http	Scan de ports port scan syn · via HTTP:2111 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2111 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2111 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2111 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "ae97108c2eea864cb7c7884ac26f7247d2314c15", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.069297762204365, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 2111, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.9, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 1, "campaign_key": "0f1027f08878887f6593b9b1e090b32ee0c356ac", "event_fingerprint": "decec46801d11773bba6934ca21a216223ce1ba8", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "bbedb1dab3dc2ecabe2e5ef157e80b12", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 2111, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2111\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2111\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2111\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2111\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2111\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a23e4b6f426adc88eaaafe4051bd47746b80cdae", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 2111, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2111\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port scan syn \u00b7 via HTTP:2111 \u00b7 (reconnaissance)", "target_port_label": "2111 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2111, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 2111, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2111 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2111\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "2111 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2111" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:31:58 UTC	TCP	9169 · HTTP	http	Sonde port 9169/TCP port 9169 tcp · via HTTP:9169 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9169 Chemin / cible / Preuve honeypot — Sonde port 9169/TCP Connexion détectée sur le port 9169 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_9169_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9169 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9169 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "d82991aec912c7ee20c838fae2e5eae5f2dc7f27", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.111077662684571, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 9169, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "86501ed127ab822de9bad1c981c78af8c27d4853", "event_fingerprint": "9a9af64214bbf05c724f151df463b67eb70bb905", "classification_reason": "Type \u00ab port_9169_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "5570922ed317b6c81c679e2ea57c9e19", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9169, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9169\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9169\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9169\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9169\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9169\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_9169_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aa456f1a99cee3a602933dd44ae35036c712f9ec", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9169, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9169\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 9169 tcp \u00b7 via HTTP:9169 \u00b7 (sonde \/ probe)", "target_port_label": "9169 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_9169_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_9169_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9169, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9169, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 9169 tcp \u00b7 via HTTP:9169 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9169\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "9169 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9169" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:31:10 UTC	TCP	5558 · HTTP	http	Sonde port 5558/TCP port 5558 tcp · via HTTP:5558 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5558 Chemin / cible / Preuve honeypot — Sonde port 5558/TCP Connexion détectée sur le port 5558 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_5558_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5558 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5558 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "8d9bdab93d6e5fad4c32c438c09d61173a67989d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.091524560134753, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 5558, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "c4bf8b4c06539a33f63b9eb28efbb2a6bcec0bd6", "event_fingerprint": "2eeca299d13114c8665e0e3d686ca6ff1bd1fa49", "classification_reason": "Type \u00ab port_5558_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "94de29de0689f0c560348bc1c93ba607", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5558, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5558\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5558\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5558\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5558\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5558\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_5558_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3f7acb79a55505babcc47c659c6e0e01eb1bc533", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5558, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5558\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 5558 tcp \u00b7 via HTTP:5558 \u00b7 (sonde \/ probe)", "target_port_label": "5558 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_5558_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_5558_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5558, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5558, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 5558 tcp \u00b7 via HTTP:5558 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5558\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "5558 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5558" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:30:17 UTC	TCP	8575 · HTTP	http	Sonde port 8575/TCP port 8575 tcp · via HTTP:8575 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8575 Chemin / cible / Preuve honeypot — Sonde port 8575/TCP Connexion détectée sur le port 8575 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8575_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8575 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8575 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "d5667348204d04a272d429aef58e3caa2384f632", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.116248125028156, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8575, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "7227a889f86c2f5938d89158b7bddddc03f063d5", "event_fingerprint": "4de542560813f18ab397ee44e08f66a1ad521d08", "classification_reason": "Type \u00ab port_8575_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "2fcca623a56f0250264a035bf7e01265", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8575, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8575\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8575\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8575\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8575\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8575\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8575_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a0716916367e05265edc9beb116f55cfdd734dcc", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8575, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8575\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8575 tcp \u00b7 via HTTP:8575 \u00b7 (sonde \/ probe)", "target_port_label": "8575 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8575_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8575_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8575, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8575, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8575 tcp \u00b7 via HTTP:8575 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8575\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8575 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8575" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:16:20 UTC	TCP	8402 · HTTP	http	Sonde port 8402/TCP port 8402 tcp · via HTTP:8402 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8402 Chemin / cible / Preuve honeypot — Sonde port 8402/TCP Connexion détectée sur le port 8402 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8402_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8402 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8402 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "b7ac7f9c184b9129dbdaaf70bdf16697d5e1f4bb", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.121418587371742, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8402, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.6, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "d87353501437121cb523fbb79a0fb0b48d4c9eff", "event_fingerprint": "6b9a21bde0b339f21304a14af5179a07e485c9ac", "classification_reason": "Type \u00ab port_8402_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "901d4f2941d00083f27fee7dfd8de003", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8402, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8402\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8402\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8402\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8402\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8402\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8402_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5a430cfc73bea2a9920fb2d5916003aece2bc4b8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8402, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8402\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8402 tcp \u00b7 via HTTP:8402 \u00b7 (sonde \/ probe)", "target_port_label": "8402 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8402_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8402_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8402, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8402, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8402 tcp \u00b7 via HTTP:8402 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8402\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8402 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8402" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "clickhouse-native", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:13:25 UTC	TCP	9009 · CLICKHOUSE NATIVE	clickhouse-native	clickhouse probe clickhouse probe · via CLICKHOUSE NATIVE:9009 · (sonde / probe)	Élevée	Faible · 24
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur CLICKHOUSE-NATIVE WAF — Recommandation Surveiller Tags clickhouse_native_emulated clickhouse_native_payload http_get_probe net_clickhouse_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9009 Chemin / cible — Service CLICKHOUSE NATIVE Payload GET / HTTP/1.1 Host: 62.3.50.33:9009 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Pourquoi cette classification : Type « clickhouse_probe » (signaux protocolaires) · confiance 0% Confiance classification 8% Corrélation +8 Risque capteur Faible · 24 Confiance : Confiance 0 % — 4 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9009 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9009 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "protocol_emulated": true, "emulator_response": "436c69636b486f757365207365727665722076657273696f6e2032342e332e312e0d0a", "emulator_response_len": 35, "bytes_in": 146, "payload_entropy": 5.111077662684571, "port_category": "registered", "org": "Google LLC", "service": "clickhouse-native", "app_proto": "clickhouse-native", "asn": 396982, "country": "BE", "dst_port": 9009, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15 }, "risk_score": 24, "tag_count": 4, "anomaly_count": 0, "campaign_key": "0f796e094798a041cc1b3136accd8e21cc25194c", "event_fingerprint": "a3cb4d107b5137f2b9397a7edc851a39fe91ed0c", "classification_reason": "Type \u00ab clickhouse_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.08, "classification_confidence": 0.08, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 24, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "clickhouse-native", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "637b19f7a94186381e012211f57ea696", "path_pattern_hash": "a6f7713503e08b2580844867d22bf612" }, "target_context": { "dst_port": 9009, "service": "clickhouse-native", "service_name": "clickhouse-native", "risk_score": 24 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9009\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9009\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9009\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9009\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9009\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab clickhouse_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dfd58358bdcb34a2e234eb68f37852d7b214f498", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9009\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "port": 9009, "service": "clickhouse-native", "service_label_fr": "CLICKHOUSE NATIVE" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9009\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "clickhouse probe \u00b7 via CLICKHOUSE NATIVE:9009 \u00b7 (sonde \/ probe)", "target_port_label": "9009 \u00b7 CLICKHOUSE NATIVE", "emulator_service": "clickhouse-native", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab clickhouse_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab clickhouse_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 8, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 24, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 24, "risk_label": "Faible", "service_name": "clickhouse-native", "service_label_fr": "CLICKHOUSE NATIVE", "dst_port": 9009, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-clickhouse-native", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9009\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "port": 9009, "service": "clickhouse-native", "service_label_fr": "CLICKHOUSE NATIVE" }, "attack_vector": "clickhouse probe \u00b7 via CLICKHOUSE NATIVE:9009 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9009\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "9009 \u00b7 CLICKHOUSE NATIVE", "emulator_service": "clickhouse-native", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "clickhouse_native", "service_banner": "honeypot-clickhouse-native", "service_os": "linux", "dst_port": "9009" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "clickhouse-native", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "clickhouse_native_emulated", "clickhouse_native_payload", "http_get_probe", "net_clickhouse_probe" ], "asn_dc_heuristic": true }
15/06/2026 08:08:44 UTC	TCP	7480 · HTTP	http	Sonde port 7480/TCP port 7480 tcp · via HTTP:7480 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7480 Chemin / cible / Preuve honeypot — Sonde port 7480/TCP Connexion détectée sur le port 7480 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_7480_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7480 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7480 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "72fac0597e9ee948e24ababa6d47960fb08855c7", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.143645385302128, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 7480, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "5662e714cea2387e96cb5449100cd45e0595a78a", "event_fingerprint": "b641f6882d43de0c425ddde5d4097b366465bf20", "classification_reason": "Type \u00ab port_7480_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "dfc85af106fdf6f9c1eb23ae316462f0", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 7480, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7480\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7480\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7480\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7480\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7480\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_7480_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "958c8b5418034f3ab33614a89beae84a04857f3c", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 7480, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7480\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 7480 tcp \u00b7 via HTTP:7480 \u00b7 (sonde \/ probe)", "target_port_label": "7480 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_7480_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_7480_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7480, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 7480, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 7480 tcp \u00b7 via HTTP:7480 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7480\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "7480 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7480" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 08:07:18 UTC	TCP	9758 · HTTP	http	Sonde port 9758/TCP port 9758 tcp · via HTTP:9758 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9758 Chemin / cible / Preuve honeypot — Sonde port 9758/TCP Connexion détectée sur le port 9758 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_9758_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9758 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9758 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "308d0c0794ef7d65d16254ea5c1a7e08f73e5b00", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.138474922958543, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 9758, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "e2206852fa4e3a48ea23194bb655326c8355ea23", "event_fingerprint": "d29d3c8bc9e2ce287c66e461d0d72dd2069bc268", "classification_reason": "Type \u00ab port_9758_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "becda093b1e754aff1222e23a2cc5360", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9758, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9758\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9758\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9758\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9758\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9758\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_9758_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8404758cde088d5e53156bea5cd559577897f93a", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9758, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9758\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 9758 tcp \u00b7 via HTTP:9758 \u00b7 (sonde \/ probe)", "target_port_label": "9758 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_9758_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_9758_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9758, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9758, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 9758 tcp \u00b7 via HTTP:9758 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9758\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "9758 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9758" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 07:57:30 UTC	TCP	12283 · HTTP	http	Sonde port 12283/TCP port 12283 tcp · via HTTP:12283 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 12283 Chemin / cible / Preuve honeypot — Sonde port 12283/TCP Connexion détectée sur le port 12283 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_12283_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12283 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12283 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "29428f79952776ebf36dafbae666a6d3f28d7f23", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.0910911183653065, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 12283, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "b3475da05a3f9cdf61f4d8eb693954eb8412e7bb", "event_fingerprint": "b5f293d291df2a061076804364ac1df066d18c36", "classification_reason": "Type \u00ab port_12283_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "be3bf0ef08b9557319dc1616da75a81c", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 12283, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12283\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12283\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12283\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12283\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12283\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_12283_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e02ce570efdcadcfd7037be764bab47227e2d2d9", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12283, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12283\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 12283 tcp \u00b7 via HTTP:12283 \u00b7 (sonde \/ probe)", "target_port_label": "12283 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_12283_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_12283_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 12283, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12283, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 12283 tcp \u00b7 via HTTP:12283 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12283\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "12283 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "12283" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 07:52:21 UTC	TCP	8076 · HTTP	http	Sonde port 8076/TCP port 8076 tcp · via HTTP:8076 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8076 Chemin / cible / Preuve honeypot — Sonde port 8076/TCP Connexion détectée sur le port 8076 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8076_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8076 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8076 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "51351cf6517830208be4516a400b0f1c881839c2", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.129946755165142, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8076, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "828a1a83e21da1f48f9a51f78e2410da1f9c89a9", "event_fingerprint": "679f6f52f0da5f8fac71403263f40ea8f019fbd4", "classification_reason": "Type \u00ab port_8076_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "6270d4e6433c3b5e163a0b1140d595a2", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8076, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8076\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8076\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8076\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8076\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8076\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8076_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "64bd0869af32048691cbb395cf2a5bf18692e9ae", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8076, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8076\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8076 tcp \u00b7 via HTTP:8076 \u00b7 (sonde \/ probe)", "target_port_label": "8076 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8076_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8076_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8076, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8076, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8076 tcp \u00b7 via HTTP:8076 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8076\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8076 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8076" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }

34.76.60.10

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence